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A New Complex Situation Creates a Number of 
Challenges to Correctly Identify Targets... 




How do you accurately identify targets across multiple applications, multipíe 
physical locations, multiple terminais and multiple identities? 
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Challenge #1 : Identify Users across all Types of 
Communications 



■ New challenges for LEAs 

■ People are no longer linked to 
physical subscriber lines 

■ The same person can communicate 
in severa I ways 

■ Example: VolP, Instant Messaging, 
Webmail, FTP, etc 

■ How to launch interception across all 
communication with a single trigger? 




1 . Trigger = VolP activity on 
monitored user login 




Answer 

■ Identify users and intercept all type of 
communication initiated by the same 
user when a trigger such as “user 
login” is detected 

■ Identify Internet access point and 
physical device of targeted user 

■ Link trigger to IP address, MAC 
address, IMSI, IMEI, etc. 

■ Show all communication on the same 
screen, in real-time: Webmail, Instant 
Messaging, FTP, P2P, Financial 
Transactions 



2. Link user login to: 
-User MAC 
-or IP address 
-or IMSI 




3. Intercept VolP + Webmail 
+ Chat from a particular 
user on a certain PC or 
mobile to a specific person 
in real-time! 
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Challenge #2: Need to Understand Different Applications 
Behind The Same Protocol 



■ HTTP is not only used by Web 
browsing 

■ HTTP is also used by: LiveMail, 
Gmail, YahooMail, 

GoogleEarth, GoogleMap, 

Salesforce, iGoogle, mashups, 
and hundreds of 

other applications... 

A user typically has different IDs in 
different applications 

Answer 

■ Understand all the applications using 
a particular protocol (such as HTTP) 

Deep and stateful analysis of IP 
packets 

Connection context and session 
management 

Connection expiration management 
■ IP fragmentation management 
Session inheritance management 
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Challenge #3: Ability to Recognize Regional Protocols 



■ Targets may use regional 
Services for Webmail, Instant 
Messaging, Social Networking, 
etc. 

■ Used by large a number of 
people in local country and local 
language 

■ Targets can also use Services 
from outside their country of 
origin, in local language or other 
languages 

■j Answer 

■ Extend protocol expertise to 
local Webmail, Instant 
Messaging, Social Networking, 
etc. 
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Examples of Regional Protocols 
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Challenge #4: Many Applications have Evolved from their 
Initial Use 



Applications are used differently 
than their originally intended 
purpose 

■ File transfer in Skype 

■ Instant Messaging in WOW 

■ Financial transactions in Second 
Life 

■ Use of “Dead Mailboxes” within 
Webmail => shared storage 
space and folders (same " 
login/password for different 
users) 

Answer 

■ Understand real application 
usage by correlating multiple 
sessions and packets 

■ Ensure a full view of application / 
Service / user, independently of 
protocol 
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. To [Camper]: Hey whats up dude 
c To [Camper]: Is everyone online yet? 
f [Camper] whispers: nope 
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until then lol 
[Camper] whispers: ok 
[Camper] whispers: Lol 
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Challenge #5: Recognizing Correct Identity Means Going 
BEYOND OSI Reference Model 




Qosmos protocol graph 



Users can easily hide their identity 

New, complex communication 
protocols do not follow OSI model 

■ Examples: P2P, Instant Messaging, 
2.5G/3G (GTP), DSL Unbundling, 
(L2TP), VPN (GRE), etc. 

Protocols are frequently 
encapsulated 

■ Example: multiple encapsulations in 
an operator DSL network (ATM / 
AAL5 / IP / UDP / L2TP / PPP / IP / 
TCP / HTTP) 



Answer 

■ Extract user identity information in 
real-time, independently of OSI 
model and dig into encapsulation 
within several complex IP layers 
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Example of User Identification within a Tunneled 
Protocol: L2TP 



■j lt is important to 
accurately identify 
encapsulated protocols 
such as L2TP (Layer 2 
Tunnel Protocol) 

■j This enables the tracking 
of VPN connections 
between remote 
employees and 
enterprise networks 
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Challenge #6: Not Possible to Rely on IANA Ports to 
Track Applications and Users 



8 Applications can no longer be 
linked to specific ports 

■ Port 80 = “The crime 
boulevard” 

■ Skype runs on port 80, port 
443, or on random ports 

■ RTP does not use predefined 
ports 

■ SIP negotiates and defines the 
ports used for data 
communication (RTP) 

■ Answer 

■ Inspect complete IP flows 
rather than “packet by packet” 

■ Track control connections: e.g. 
FTP data, SIP/RTP or P2P 
traffic 

■ Ensure a full view of application 
/ Service / user independently 
of p roto co I 
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Challenge #7: Adapt Rapidly to New Protocols 



■ Difficultto handle an increasing 
numbers of protocols with dedicated 
ASICs 

■ Long development times (MONTHS) 

■ Limited flexibility 




B Answer 

■ Use a software-based approach, 

ensuring greater flexibility, easy 
updates and short development time 
(DAYS) 

■ Shorten lead times to answer quickly 
to mounting threat patterns 

■ Ensure high packet Processing 
performance by using the latest 
standards-based, multi-core 
architecture 

■ Make the software porta ble across 
different hardware platforms 

Appliances, routers, IP DSLAMs, 
GGSNs, Set-Top-Boxes, PCs, etc. 
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A Short lllustrative Demo 
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A Short lllustrative Demo 
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A Short lllustrative Demo 



Organization 


Options 


Action 


Display 




Mon_entrep... ▼ 


P • í 


\ Access attributes 


Tree p ro tocol Tree view ▼ 




Edit 


Refresh period (s): 2 C 


Find 





Properties 



Properties « 



Modules 



Live Flow 



X 

Configuration 

Player 

l|° 

Users 

□ 

Report-Center 



Tree 

l nbns 

S unknown 
tftp 

S àfotcp 
- aim 
ê © ssl 

<íi https 
È i*i http 
hotmail 
íq 5 soap 
tír google 

\ ymail 

>)) mmse 



dns 
pop3 
"ô rtsp 

“P established 
msn 
smtp 
unknown 
ymsg 

"fi mms 



Incomin... 


Outgoin... 


Incomin... 


Outgoin... 




67.1 5k 




0.00 




91.00 




0.00 




993.00 




0.00 


6.97k 


1 3.56k 


0.00 


0.00 


1 .21 M 


479. 28k 


0.00 


0.00 


1 4.71 M 


3.49M 


0.00 


0.00 


1 58.36k 


92.02k 


0.00 


0.00 


8.45k 


8.89k 


0.00 


0.00 


457. 88k 


1 1 7.25k 


0.00 


0.00 


22.88k 


33.37k 


0.00 


0.00 


78.36k 


1 21 ,68k 


0.00 


0.00 


0 -701/ 


ri Grã, 


n nn 








Access attributes 

Filter and Expand 
Cancel "Filter and Expand" 

Add/Remove in thoughput charts 

Expand tree 
Expand whole tree 



Properties 

msn 



Protocol 



The MSN protocol allows the exchange of 
instant messages. The MSN protocol is 
used bythe Microsoft software... 



Volume (bytes) 




s> 





Collapse tree 
Collapse whole tree 


r^_/vA^_À/A/v_/A^ 1 







A aJWjA^v..AuJ\ 1 


n 


Utl AUL t ] 



QOSMOS 



Page 16 





A Short lllustrative Demo 
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A Short lllustrative Demo 



Monitor : Display values in real time ^ 
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A Short lllustrative Demo 
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A Short lllustrative Demo 
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A Short lllustrative Demo 
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Qosmos Legal Intercept Solutions 
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■j Qosmos and its integrator partners offer a complete interception solution 
including: 

■ Flow classification 

■ Applicative classification 

■ Information extraction 

■ Selective recording 

■ Application transcoding (mail, etc.) 

■ Visualization 
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Summary: lt Is Possible To Accurately Identify Users! 
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SPECIAL OFFER: Get your free evaluation of ixEngine at the Qosmos booth! 
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